Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1923: Analytic 1923

Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. For added context on adversary procedures and background see User Execution and applicable sub-techniques. Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution. Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell). Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).

ICSAN1923AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

AN1923 is a detection analytic for user-driven execution paths: a person opens a document, installer, archive, PDF, message, or similar artifact, and that action results in process execution or outbound web activity. For security leaders, the practical issue is not just phishing awareness; it is whether the SOC can prove what the user opened, what process ran, what command line was used, and whether the endpoint then contacted a suspicious destination. In an ICS ATT&CK context, this matters because user workstations and operational support systems can become decision points for incident containment before activity affects more sensitive environments.

Executive priority

Prioritize this analytic as a readiness check for managed detection, incident response, and audit evidence around user-initiated execution. Leaders should ask whether endpoint, application, messaging, and network telemetry can be correlated quickly enough to support containment decisions. The business value is strongest where user-opened files, installers, archives, or script-capable applications are common and where a missed execution chain could disrupt operational resilience or complicate regulatory evidence gathering.

Technical view

Validate monitoring for newly executed processes that appear to depend on user interaction, especially applications capable of embedded programmatic behavior such as Office-like documents with scripts, installers, archive/compression tools, PDFs, and similar files. Correlate process creation and command-line data with application logs, messaging artifacts, and newly constructed web connections to suspicious or malicious destinations. Tune for anomalous cases where files or utilities that do not normally initiate network connections do so, including the examples named by MITRE: regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, and msiexec.exe. Because no ATT&CK platforms or tactics are specified for this object, local environment baselining is required before treating any one process or file type as high confidence.

Likely telemetry

  • Endpoint process creation events for newly executed processes
  • Command-line arguments associated with user-opened files or installers
  • Application logs from document readers, Office-like applications, archive tools, installers, and similar user-facing software
  • Messaging or file-delivery artifacts that show the user action that preceded execution
  • Endpoint security or anti-virus detections for downloaded and executed files

Detection direction

  • Correlate user action, process creation, command line, and outbound web connections rather than alerting on any single event in isolation.
  • Baseline normal business use of installers, archive tools, document applications, and PDF readers to reduce false positives from legitimate workflows.
  • Look for unusual network activity from files or utilities that normally should not initiate connections, including the specific binaries and file types referenced in the MITRE description.
  • Use destination reputation or campaign context where available, but avoid relying only on known-bad destinations because suspicious execution may appear before reputation data is available.
  • Confirm whether endpoint and network sensing can detect post-open behavior such as a document or PDF reaching out to the internet or spawning PowerShell, as described by MITRE.

Mitigation priorities

  • Treat this as a detection and readiness analytic, not a standalone mitigation recommendation.
  • Prioritize complete endpoint and network sensing for user-facing applications and file types that can launch code or initiate web connections.
  • Ensure incident response playbooks can quickly answer: what did the user open, what process executed, what command line ran, and what destination was contacted.
  • Use anti-virus, endpoint sensing, and network sensing as complementary controls; no single source should be assumed sufficient from the supplied ATT&CK fields.
  • Focus hardening and monitoring reviews on user-executed document, archive, installer, and script-capable application paths where local business use permits.
Analyst notes and limits

The official description repeats several monitoring themes: user-dependent process execution, application or messaging artifacts, web connections to suspicious destinations, process and command-line correlation, and endpoint/network sensing for malicious documents or files. The object references User Execution and Deobfuscate/Decode Files or Information for context, but no explicit relationship objects were supplied here.

No official detection field, platforms, tactics, labels, aliases, or relationship context were supplied. This take therefore cannot assert specific ATT&CK technique coverage, platform applicability, adversary use, active exploitation, or guaranteed detection. Local telemetry quality, baselines, and business workflows determine how actionable this analytic will be.

Official MITRE ATT&CK definition

Analytic 1923

Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. For added context on adversary procedures and background see User Execution and applicable sub-techniques. Monitor for application logging, messaging, and/or other artifacts that may rely upon specific actions by a user in order to gain execution. Monitor for newly constructed web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe). Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning PowerShell). Monitor for newly executed processes that depend on user interaction, especially for applications that can embed programmatic capabilities (e.g., Microsoft Office products with scripts, installers, zip files). This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g., destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g., monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, SCF, HTA, MSI, DLLs, or msiexec.exe).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c54b8dc8c006e901...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c54b8dc8c006…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1923
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use